cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
238
Views
0
Helpful
8
Replies
Enthusiast

Sig 3334 Windows Workstation Service Overflow

We are seeing a very large number of these signatures firing and I'm wondering if anyone has identified legitimate MS traffic as triggering this alert.....

8 REPLIES 8
Cisco Employee

Re: Sig 3334 Windows Workstation Service Overflow

We have not identified any benign triggers associated with this signature. Could you provide a traffic sample of the questionable traffic?

Not applicable

Re: Sig 3334 Windows Workstation Service Overflow

Enthusiast

Re: Sig 3334 Windows Workstation Service Overflow

I have performed a packet capture and identified the alerts as a false positive. How do I upload the capture?

Highlighted
Cisco Employee

Re: Sig 3334 Windows Workstation Service Overflow

You can upload your capture directly on Netpro. When you post an answer, you'll notice the "Add Attachments" link below the Post button.

Beginner

Re: Sig 3334 Windows Workstation Service Overflow

We are seeing this as well. In our environment it's on a Unisys printer attached with an external HP Jetdirect server.

I have a log but cannot attach it here directly due to any information that is in it that may be confidential. I'd be happy to upload it directly via another avenue.

Sincerely,

Ron Russell

Enthusiast

Re: Sig 3334 Windows Workstation Service Overflow

Cisco MUST do a better job of tuning their signatures. We implemented a Juniper IDP (inline and blocking) and I only rely on the Cisco IDSs for secondary / tertiary information b/c of this very reason. I spent about 1 full day chasing down the false positives on this one siganture. A hugh waste of my companies time and money and a another reminder that we made the right choice in implementing our Juniper IDP.

Contact me directly with any questions about our Juniper Intrusion Prevention and Detection appliance. It sits inline and filters our VPN, Internet and RAS segments coming into our network.

Beginner

Re: Sig 3334 Windows Workstation Service Overflow

I have identified a trend between multiple traces that are triggering the 3334 signature. It appears that RPC traffic to Lexmark printers are triggering this signature and creating false positives. If this is the case on your network you will be able to see the Lexmark information later in the stream if you enable ip logging. Please let me know if you are seeing the same type of traffic.

Cisco Employee

Re: Sig 3334 Windows Workstation Service Overflow

We are researching this signature for modification in a future update.

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards
This widget could not be displayed.